Proxmox 7.1 on cloud network config

por | 21 enero, 2022
0 comentarios

https://community.hetzner.com/tutorials/proxmox-on-cloud

Hetzner configuration proxmox 7.1

sed -i 's/^deb/#deb/g' /etc/apt/sources.list.d/pve-enterprise.list
echo "deb [arch=amd64] http://download.proxmox.com/debian/pve bullseye pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list


apt install net-tools -y
apt install ifupdown2 -y
apt install openvswitch-switch -y



auto lo
iface lo inet loopback

auto enp1s0
iface enp1s0 inet static
        address 5.X.X.X/32
        gateway 172.31.1.1
        pointopoint 172.31.1.1
        dns-nameservers 213.133.98.98 213.133.99.99 213.133.100.100


auto enp7s0
iface enp7s0 inet static
        address 10.0.0.4/28
        post-up route add -net 10.0.0.0 netmask 255.255.255.240 gw 10.0.0.1 dev enp7s0


auto vmbr0
iface vmbr0 inet static
        address 172.20.1.1
        netmask 255.255.255.0
        bridge_ports none
        bridge_stp off
        bridge_fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward

        post-up iptables -t nat -A POSTROUTING -s '172.20.1.0/24' -o enp1s0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '172.20.1.0/24' -o enp1s0 -j MASQUERADE

        # VM-WEB HTTP 80:172.20.1.5:80
        post-up iptables -t nat -A PREROUTING -i enp1s0 -p tcp --dport 80 -j DNAT --to 172.20.1.5:80
        post-down iptables -t nat -D PREROUTING -i enp1s0 -p tcp --dport 80 -j DNAT --to 172.20.1.5:80

Proxmox 7 with a Single Public IP – Setup a Private Network


Proxmox can easily be configured to put all or some of your VM/Containers in a NATed private network. You can even forward ports from your public IP address to your containers. Unfortunately, it is not possible to configure this setup from the Web GUI, but the changes to the configuration file are very simple. All changes and additions are outlined in this post.

The Setup
We are going to assume we have 3 VMs/Containers on our Proxmox server.

  1. VM-WEB (Web server, needs ports 80 and 443)
  2. VM-SMTP (Mail Server, needs ports 25 and 465)
  3. VM-CAPP (Custom App, run on port 5000, but needs outside port 1025)
  • Public IP: 1.2.3.4
  • Private Network: 192.168.0.0/24 (192.168.0.1 – 192.168.0.254)
  • Private IP of Host: 192.168.0.254
  • Private IP of VM-WEB: 192.168.0.1
  • Private IP of VM-MAIL: 192.168.0.2
  • Private IP of VM-CAPP: 192.168.0.3

Configuring the Hosts Network
The first task is to create a network bridge. We are going to call this bridge vmbr2.

SSH into your host and add the following to /etc/network/interfaces

auto vmbr2
iface vmbr2 inet static
address 192.168.0.254
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s ‘192.168.0.0/24’ -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s ‘192.168.0.0/24’ -o vmbr0 -j MASQUERADE

# VM-WEB HTTP 80:192.168.0.1:80
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp –dport 80 -j DNAT –to 192.168.0.1:80
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp –dport 80 -j DNAT –to 192.168.0.1:80

# VM-WEB HTTPS 443:192.168.0.1:443
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp –dport 443 -j DNAT –to 192.168.0.1:443
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp –dport 443 -j DNAT –to 192.168.0.1:443

# VM-SMTP SMTP 25:192.168.0.2:25
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp –dport 25 -j DNAT –to 192.168.0.2:25
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp –dport 25 -j DNAT –to 192.168.0.2:25

# VM-SMTP SMTPtls 465:192.168.0.2:465
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp –dport 465 -j DNAT –to 192.168.0.2:465
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp –dport 465 -j DNAT –to 192.168.0.2:465

# VM-CAPP CustomApp 1025:192.168.0.3:5000
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp –dport 1025 -j DNAT –to 192.168.0.3:5000
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp –dport 1025 -j DNAT –to 192.168.0.3:5000

Lets explain what is going on here.

The first whole block, from auto vmbr2 to the first post-down sets up the bridge, assigns an the ip 192.168.0.254 to the host, and enables NAT from vmbr0 to vmbr2.

The next sets of blocks setup the individual port forwards. Each port forward requires a post-up and post-down. To create your own port forwards, follow the template below.

#Outside XXX -> LO.CA.AL.IP:YYY
post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp –dport XXX -j DNAT –to LO.CA.AL.IP:YYY
post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp –dport XXX -j DNAT –to LO.CA.AL.IP:YYY

Making the Changes Active
Once all your port forwards are setup, either restart your host, or run systemctl restart networking from the CLI.

Setup of the VMs/Containers
The only thing that is left is to setup your VMs. Thankfully, this is very easy.

When you are setting up your VM, select the vmbr2 bridge.

Now configure your VM with the following network settings:

  • IP Address: 192.168.0.X (where X is the private ip of the Machine)
  • Network Mask: 255.255.255.0
  • Gateway: 192.168.0.254

Try it Out
If all went to plan, you should have a web server, mail server, and custom app all running from your public IP. Try http://1.2.3.4